Software “symbiotes” signal attacks on embedded systems

All current Cisco IP phones, including the ones seen on desks in the White House and aboard Air Force One, have a vulnerability that allows hackers to take complete control of the devices. Now computer scientists at Columbia University have developed a defense they call a “symbiote” that can detect any such intrusions. [Editor’s note: IEEE Spectrum uses Cisco IP phones too.]

The Columbia researchers discovered bugs in the phone’s kernel—essentially, the heart of its operating system—that can give intruders total access to the phones [PDF]. Once hackers are inside a phone, they can turn on its microphones, transforming it into an eavesdropping device. They can also use a compromised phone as the staging area for attacks on other phones—and on computers and devices such as printers—connected to the same network. The researchers, including computer scientist Ang Cui, reported the vulnerability to Cisco on 22 October 2012, within a few days of discovering and verifying the bug.

Although the attack the researchers originally documented relies on physical access to target phones, Cui says it’s possible to compromise the telephones remotely via the Internet. “This problem is not unique to Cisco,” adds Salvatore Stolfo, a computer science professor at Columbia University. “Avaya and other phone vendors undoubtedly have similar issues with their software.”

Such problems reflect the vulnerability of embedded systems—the near-ubiquitous computers found in printers, routers, and phones as well as cars, rail lines, power plants, prison-cell doors, and implantable medical devices. Computer security has largely focused on personal computers and not on the embedded systems that make up large parts of government and corporate infrastructures, Cui says.

SYMBIOTES: Code embedded on the phone watches for anomalies that might indicate an intruder.

Now the Columbia team says it has forged a new weapon that can defend Cisco phones against such exploits. The new anti-malware software, which they call symbiotes [PDF], resides directly in the embedded system’s firmware, continuously scanning random chunks of the programs running the system to check for anomalies. In essence, say the Columbia researchers, the symbiote serves as an immune system against intrusions. When the researchers demonstrated the attack that turns a Cisco phone into a listening post, the symbiote-protected phone signaled with a flashing red light. It also called Cui with a message: “My IP phone has been pwned.” (“Pwned” is hacker slang for “owned.”) “This is the first IP phone with an antivirus on it,” Stolfo says.

One key advantage of symbiotes is that they could detect unanticipated or “zero-day” attacks, Stolfo says, unlike anti-malware programs that rely on known patterns of misbehavior. “The symbiote doesn’t know all the vulnerabilities of what it’s protecting, just what the consequences of an exploit would look like,” Cui explains. The Columbia researchers, who are commercializing their work via their start-up Red Balloon Security, report that the symbiote devised for Cisco phones takes up just 200 bytes of data. The software scans the host phone’s kernel a few hundred times per second for intrusions, Cui says.

Stolfo cautions that the symbiote still needs to be tested on real networks. Still, if and when symbiotes are deployed en masse, “we’ll be able to prevent large-scale exploits of embedded systems for 10 years, in my estimation,” Stolfo says. For added defense, future symbiotes may be able to monitor not only the device in which they reside but also other devices connected to the same network, Cui adds.

The researchers, who will detail their latest findings on 28 February at the RSA Conference in San Francisco, are now talking with companies and government agencies about incorporating symbiotes into embedded systems on a large scale.